Command injection in OpenClaw - CVE-2026-32063
Published: May 1, 2026
Vulnerability identifier: #VU128836
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32063
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary commands.
The vulnerability exists due to improper neutralization of special elements in systemd unit generation in src/daemon/systemd-unit.ts when rendering Environment= entries from attacker-controlled configuration values. A local user can supply a crafted environment value containing a newline and injected systemd directives to execute arbitrary commands.
Exploitation requires the attacker to influence config.env.vars, invoke the install or reinstall path to write the unit file, and have the service restarted. The injected command runs with the privileges of the OpenClaw gateway service user.
How to mitigate CVE-2026-32063
Install security update from vendor's website.